Re: [I] ip_restriction plugin is not whitelisting the individual ips [apisix]
NellyNakhero commented on issue #11088: URL: https://github.com/apache/apisix/issues/11088#issuecomment-2019494913 @kayx23 When logging, the IP i am able to fetch is the cluster ip, which when whitelisted it removes the restrictions for everyone using my APIs, Is there a way that i can use device ip instead of cluster ip or any alternative to achieve such a behaviour? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz opened a new pull request, #11090: URL: https://github.com/apache/apisix/pull/11090 ### Description Fixes #10601 allow set headers in introspection request. ### Checklist - [ ] I have explained the need for this PR and the problem it solves - [ ] I have explained the changes or the new features added to this PR - [ ] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: Enabling discovery kubernetes services configuration doesn't list cluster existing endpoints in Dashboard Service list [apisix]
hanqingwu commented on issue #11057: URL: https://github.com/apache/apisix/issues/11057#issuecomment-2019221617 @singhajitk , From view source code , I don not find dump_data interface in discovery kubernetes . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] docs: add release notes 3.9.0 [apisix-website]
kayx23 commented on PR #1777: URL: https://github.com/apache/apisix-website/pull/1777#issuecomment-2018937376 cc @Yilialinn in case I forget to ping you again -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] docs: add docs for `ocsp-stapling` plugin [apisix]
kayx23 closed issue #11066: docs: add docs for `ocsp-stapling` plugin URL: https://github.com/apache/apisix/issues/11066 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] fix(openid-connect): Close session in case of error to avoid blocked … [apisix]
markusmueller opened a new pull request, #11089: URL: https://github.com/apache/apisix/pull/11089 …session on locking session storage (example unauth_action=deny) ### Description This PR is fixing a bug where sessions are blocked until ttl is expired in case of an authentication error. For example unauthenticated session and `unauth_action='deny'` and locking session storage is configured. Basically the same problem as in https://github.com/apache/apisix/pull/10788 but in case of error. Fixes # (issue) ### Checklist - [ ] I have explained the need for this PR and the problem it solves - [ ] I have explained the changes or the new features added to this PR - [ ] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: Enabling discovery kubernetes services configuration doesn't list cluster existing endpoints in Dashboard Service list [apisix]
singhajitk commented on issue #11057: URL: https://github.com/apache/apisix/issues/11057#issuecomment-2018308195 > @singhajitk , I think you confuse about apisix service and Kubernetes service endpoints. The dashboard only show apisix service "A service consists of a combination of public plugin configuration and upstream target information in a route" I think maybe there is no admin api to list Kubernetes service endpoints yet . Hi @hanqingwu, As per document apisix/discovery/kubernetes (https://apisix.apache.org/docs/apisix/discovery/kubernetes/) documentation, It looks like kubernetes services should get listed. The apisix services are getting listed without providing the discovery->kubernetes configuration. @shreemaan-abhishek, Please correct me if my understanding is wrong that "kubernetes services should get listed when discovery->kubernetes configuration" is enabled ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] fix: forward-auth Adding post request headers only if authservice request method is post [apisix]
suryaprabhakark commented on code in PR #11021: URL: https://github.com/apache/apisix/pull/11021#discussion_r1537518599 ## apisix/plugins/forward-auth.lua: ## @@ -89,11 +89,15 @@ function _M.access(conf, ctx) ["X-Forwarded-Host"] = core.request.get_host(ctx), ["X-Forwarded-Uri"] = ctx.var.request_uri, ["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx), -["Expect"] = core.request.header(ctx, "expect"), -["Content-Length"] = core.request.header(ctx, "content-length"), -["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding") } +if conf.request_method == "POST" then +auth_headers["Content-Length"] = core.request.header(ctx, "content-length") Review Comment: @membphis If the auth server `request_method` is POST, the same upstream body is being forwarded to auth server as well, thats why we need this header incase its present. Below code reference is where body is being added to auth api request. https://github.com/apache/apisix/pull/11021/files/48112cc9057b16611ba86d0761a84dd635ac0e8b#diff-4b85e7666119852676bcd1c5fd15889e752f061a9ae891e10a0cbbefd30c2e0dL115-L124 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] Unable to validate audience claim using openid-connect [apisix]
njanelt commented on issue #11018: URL: https://github.com/apache/apisix/issues/11018#issuecomment-2017679563 > Hello, we are facing the same issue (not being able to validate the aud claim). Just to recap: > > We are using the openid-connect with the following parameters configured: > > * `discovery` with the `.well-known/openid-configuration` endpoint > * `client_id` > * `client_secret` > * `bearer_only` set to `true` > * `introspection_endpoint` with the `openid-connect/token/introspect` endpoint > * `use_jwks` set to true, otherwise everything fails with 401 > > Alternative of the last two, is to set the public key instead. > > I expect openid-connect to allow Bearer tokens that are created with the provided `client_id` and `client_secret` but instead, all valid tokens even from other clients are allowed. > > If this is true and this is the intended behaviour, it sounds like a quite serious security issue imo. Can you confirm that this is the result of your tests too? Is there any other similar plugin that offers this functionality? > > Is this something you can verify @shreemaan-abhishek ? Yes I am facing the same issue. @shreemaan-abhishek is this rellay the intended behaviour? I think for the most usecases this plugin is not usable if it behaves like that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
(apisix) tag 3.9.0 created (now 9bcabaf12)
This is an automated email from the ASF dual-hosted git repository. shreemaanabhishek pushed a change to tag 3.9.0 in repository https://gitbox.apache.org/repos/asf/apisix.git at 9bcabaf12 (commit) No new revisions were added by this update.
Re: [I] ip_restriction plugin is not whitelisting the individual ips [apisix]
kayx23 commented on issue #11088: URL: https://github.com/apache/apisix/issues/11088#issuecomment-2017643013 Try a logging plugin on APISIX and log the request IP? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] help request: upstream related header is missing when using external plugins [apisix]
github-actions[bot] commented on issue #10369: URL: https://github.com/apache/apisix/issues/10369#issuecomment-2017628135 Due to lack of the reporter's response this issue has been labeled with "no response". It will be close in 3 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the d...@apisix.apache.org list. Thank you for your contributions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] fix: forward-auth Adding post request headers only if authservice request method is post [apisix]
suryaprabhakark commented on PR #11021: URL: https://github.com/apache/apisix/pull/11021#issuecomment-2017616551 @BrandonArp @shreemaan-abhishek Got these following errros in the tests, could you please help. `Error: nginx: [error] open() "/home/runner/work/apisix/apisix/logs/nginx.pid" failed (2: No such file or directory) Error: 2024/03/24 06:39:06 [error] 94305#94305: *155 stream [lua] radixtree_sni.lua:178: match_and_set(): failed to find any SSL certificate by SNI: test.com, context: ssl_certificate_by_lua*, client: 127.0.0.1, server: 0.0.0.0:9100 ` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] ip_restriction plugin is not whitelisting the individual ips [apisix]
NellyNakhero commented on issue #11088: URL: https://github.com/apache/apisix/issues/11088#issuecomment-2017603592 The APISIX is deployed in a k8s cluster. Will that in essence affect the IP? @kayx23 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] ip_restriction plugin is not whitelisting the individual ips [apisix]
kayx23 commented on issue #11088: URL: https://github.com/apache/apisix/issues/11088#issuecomment-2017586861 How and where are you deploying APISIX? Try with your external IP? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[I] ip_restriction plugin is not whitelisting the individual ips [apisix]
NellyNakhero opened a new issue, #11088: URL: https://github.com/apache/apisix/issues/11088 ### Description @kayx23 for ip-restriction the expected behavior is when i whitelist my device ip, i should be able to have access. However at the moment, when i whitelist a devices network ip, they still dont have access? Any guidance? This is an sample image of how i am getting my IP ![image](https://github.com/apache/apisix/assets/7370/92cb5cbd-17e0-48ca-8c06-ea298eb3f0d8) And this is a sample on how i am whitelisting https://github.com/apache/apisix/assets/7370/c09cb4c4-570c-4ecf-8dd2-e3e130c159d9";> ### Environment - APISIX version (run `apisix version`): - Operating system (run `uname -a`): - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): - APISIX Dashboard version, if relevant: - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] feat: ip-restriction shoud strict the real_ip [apisix]
NellyNakhero commented on issue #11075: URL: https://github.com/apache/apisix/issues/11075#issuecomment-2017536078 @kayx23 for ip-restriction the expected behavior is when i whitelist my device ip, i should be able to have access. However at the moment, when i whitelist a devices network ip, they still dont have access? Any guidance? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: get error when set proxy_mode to http&stream [apisix]
TimXu0713 commented on issue #11056: URL: https://github.com/apache/apisix/issues/11056#issuecomment-2017538972 > yes,I can reproduce . when upgrade apisix by --set "service.stream.enabled=true" , then apisix config "proxy_mode: http&stream" but stream_proxy not config yet , so you can try to config stream_proxy in configmap apisix like this. > > ``` > proxy_mode: http&stream > stream_proxy: # TCP/UDP L4 proxy > only: true # Enable L4 proxy only without L7 proxy. > tcp: > - addr: 9100 # Set the TCP proxy listening ports. > tls: true > - addr: "127.0.0.1:9101" > ``` thanks,i manually edit the config file as you said,the pod runs successfully. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] require(crypto) [apisix-dashboard]
justnull opened a new pull request, #2937: URL: https://github.com/apache/apisix-dashboard/pull/2937 Please answer these questions before submitting a pull request, **or your PR will get closed**. **Why submit this pull request?** - [ ] Bugfix [Error message "error:0308010C:digital envelope routines::unsupported"](https://stackoverflow.com/questions/69692842/error-message-error0308010cdigital-envelope-routinesunsupported) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] docs: add docs for `ocsp-stapling` plugin [apisix]
yuweizzz commented on issue #11066: URL: https://github.com/apache/apisix/issues/11066#issuecomment-2017438658 Completed in #10900 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: Compression plugin brotli is not sending neither content-length nor transfer-encoding header [apisix]
yuweizzz commented on issue #11079: URL: https://github.com/apache/apisix/issues/11079#issuecomment-2017429411 > Add the header is tricky part , but here is the fix for partial response. the transfer-encoding header maybe this reason why curl raise a error, could you try `curl -i https://cluster.local/reviews/ -H 'Accept-Encoding: br,gzip' --http1.1` and check the headers? @SilentEntity -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] fix: forward-auth Adding post request headers only if authservice request method is post [apisix]
membphis commented on code in PR #11021: URL: https://github.com/apache/apisix/pull/11021#discussion_r1537163320 ## apisix/plugins/forward-auth.lua: ## @@ -89,11 +89,15 @@ function _M.access(conf, ctx) ["X-Forwarded-Host"] = core.request.get_host(ctx), ["X-Forwarded-Uri"] = ctx.var.request_uri, ["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx), -["Expect"] = core.request.header(ctx, "expect"), -["Content-Length"] = core.request.header(ctx, "content-length"), -["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding") } +if conf.request_method == "POST" then +auth_headers["Content-Length"] = core.request.header(ctx, "content-length") Review Comment: For HTTP requests, if the request header contains the ["Content-Length"] field, the request body should be included. So I think this request header should not be included. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: Autogenerate random API Key with helm install if not passed [apisix-helm-chart]
AlinsRan commented on code in PR #740: URL: https://github.com/apache/apisix-helm-chart/pull/740#discussion_r1537154140 ## charts/apisix/templates/configmap.yaml: ## @@ -326,6 +326,8 @@ data: - name: "admin" {{- if .Values.apisix.admin.credentials.secretName }} key: ${{"{{"}}APISIX_ADMIN_KEY{{"}}"}} +{{- else if eq .Values.apisix.admin.credentials.admin "" }} +key: {{ randAlphaNum 32 }} Review Comment: How do users know the key? You need to add a prompt output. Perhaps managing admin-key through a secret would be more appropriate. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 [apisix-ingress-controller]
codecov-commenter commented on PR #2196: URL: https://github.com/apache/apisix-ingress-controller/pull/2196#issuecomment-2017358658 ## [Codecov](https://app.codecov.io/gh/apache/apisix-ingress-controller/pull/2196?dropdown=coverage&src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) Report All modified and coverable lines are covered by tests :white_check_mark: > Project coverage is 37.38%. Comparing base [(`a51f0d9`)](https://app.codecov.io/gh/apache/apisix-ingress-controller/commit/a51f0d90eda4ca4ebac5f7345a1231fab8676670?dropdown=coverage&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) to head [(`046a519`)](https://app.codecov.io/gh/apache/apisix-ingress-controller/pull/2196?dropdown=coverage&src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache). > :exclamation: Current head 046a519 differs from pull request most recent head 8326fcb. Consider uploading reports for the commit 8326fcb to get more accurate results Additional details and impacted files ```diff @@ Coverage Diff @@ ## master#2196 +/- ## === Coverage 37.38% 37.38% === Files 94 94 Lines7971 7971 === Hits 2980 2980 Misses 4597 4597 Partials 394 394 ``` [:umbrella: View full report in Codecov by Sentry](https://app.codecov.io/gh/apache/apisix-ingress-controller/pull/2196?dropdown=coverage&src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache). :loudspeaker: Have feedback on the report? [Share it here](https://about.codecov.io/codecov-pr-comment-feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org